Permitting VPN Traffic Across a Firewall

I'm trying to implement an RRAS-configured Windows 2000 server to permit incoming client VPN connections over PPTP and Layer 2 Tunneling Protocol (L2TP). The server is behind a firewall. What ports do I need to open on the firewall to permit the necessary types of traffic to access the server?

For PPTP VPN connections, you need to open TCP port 1723 for PPTP tunnel maintenance traffic and permit IP Type 47 Generic Routing Encapsulation (GRE) packets for PPTP tunnel data to pass to your RRAS server's IP address. If the PPTP-based RRAS server is the calling router on router-to-router VPN connections (i.e., VPN-based LAN-to-LAN connections to another RRAS server), you need to create an input filter (i.e., inbound rule) on your firewall to open TCP port 1723 as a source port to your RRAS server. For L2TP VPN connections, you need to open UDP port 500 for Internet Key Exchange (IKE) traffic and UDP port 1701 for L2TP traffic. If you restrict outbound traffic, be sure to open all these ports in that direction so that the VPN server can properly communicate with your remote VPN clients.

If VPN traffic is the only traffic you permit to your RRAS server, the best practice from a security standpoint is to deny all traffic except the types I listed in the previous paragraph. I also suggest that you place your RRAS server in a network demilitarized zone (DMZ) rather than on the internal LAN. Chapter 9 of the Microsoft Windows 2000 Server Resource Kit's "Internetworking Guide" volume provides information about properly configuring firewalls for this situation and other VPN server scenarios.